From patchwork Sun Sep 19 06:29:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1960 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kPUJOdllR2FxHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id MDfYONllR2EbEwAAfY0hYg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from smtp11.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTPS id QHSBONllR2HNWAAAMe1Fpw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 05cb458a-1967-11ec-a1d6-5254005f837b-1-1 Received: from [216.105.38.7] ([216.105.38.7:33804] helo=lists.sourceforge.net) by smtp11.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6E/0C-31074-9D567416; Sun, 19 Sep 2021 12:31:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mRzi3-0008S0-TD; Sun, 19 Sep 2021 16:30:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mRzhk-0008RH-8B for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=aR5+R8qBy/nLurAL3/mP3IQGF5mdJTtF73gBicQDA8I=; b=F9Zbg25OpRcPMW3tnmMue4vGG6 q/Gs+2Z+raqNfGN4+17at2ZHVmowOz6bo13j/LLWd3K41L6lLCzq7w1EesCyWw8Av0u1OnHN1h72M 2/tFNeC+ZUt93ZAJb+AkxqlEJHoWJZgl5FtKZitsCVppmag73EOrkcX2HWfli/caO4w4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=aR5+R8qBy/nLurAL3/mP3IQGF5mdJTtF73gBicQDA8I=; b=l vTiVXcU4A5rocDTGF6DGXfH/h2saZRqN53s5oMSJzOUXtJUEcPAviktvTqZzJ7XdaDAmtlK6xFAKk GK2l/igW3YiH+zkdt8Edorx4R70FWKEUD5MJ7xX7apsQyGiIOIOpvDs/YX8+hQhzc9CvEVjy3XSBH TtI1QDQoYNhvJHWM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhf-00052c-6Q for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002YU-9l for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695549 invoked by uid 10006); Sun, 19 Sep 2021 16:29:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:49 +0200 Message-Id: <20210919162956.695496-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The old API is deprecated in OpenSSL 3.0 and the new API does not yet exist in OpenSSL 1.1. Emulating the new API would be more complex than just having two implementations. So this switches to a new [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhf-00052c-6Q Subject: [Openvpn-devel] [PATCH 1/8] [OSSL 3.0] Use new EVP_MAC API for HMAC implementation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The old API is deprecated in OpenSSL 3.0 and the new API does not yet exist in OpenSSL 1.1. Emulating the new API would be more complex than just having two implementations. So this switches to a new hmac implementation for OpenSSL 3.0. --- src/openvpn/crypto_backend.h | 2 +- src/openvpn/crypto_mbedtls.c | 2 +- src/openvpn/crypto_openssl.c | 82 +++++++++++++++++++++++++++++++++++- src/openvpn/crypto_openssl.h | 4 ++ 4 files changed, 86 insertions(+), 4 deletions(-) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index e9447f82f..e0bfdf585 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -643,7 +643,7 @@ void hmac_ctx_cleanup(hmac_ctx_t *ctx); * * @return Size of the HMAC, or \0 if ctx is NULL. */ -int hmac_ctx_size(const hmac_ctx_t *ctx); +int hmac_ctx_size(hmac_ctx_t *ctx); /* * Resets the given HMAC context, preserving the associated key information diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c632849db..e2f5f4012 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -939,7 +939,7 @@ hmac_ctx_cleanup(mbedtls_md_context_t *ctx) } int -hmac_ctx_size(const mbedtls_md_context_t *ctx) +hmac_ctx_size(mbedtls_md_context_t *ctx) { if (NULL == ctx) { diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 419265a51..f1b2d8b4a 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1001,7 +1001,7 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) * Generic HMAC functions * */ - +#if OPENSSL_VERSION_NUMBER < 0x30000000L HMAC_CTX * hmac_ctx_new(void) { @@ -1039,7 +1039,7 @@ hmac_ctx_cleanup(HMAC_CTX *ctx) } int -hmac_ctx_size(const HMAC_CTX *ctx) +hmac_ctx_size(HMAC_CTX *ctx) { return HMAC_size(ctx); } @@ -1066,6 +1066,84 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) HMAC_Final(ctx, dst, &in_hmac_len); } +#else +EVP_MAC_CTX * +hmac_ctx_new(void) +{ + EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); + EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(hmac); + check_malloc_return(ctx); + return ctx; +} + +void +hmac_ctx_free(EVP_MAC_CTX *ctx) +{ + EVP_MAC_CTX_free(ctx); +} + +void +hmac_ctx_init(EVP_MAC_CTX *ctx, const uint8_t *key, int key_len, + const EVP_MD *kt) +{ + ASSERT(NULL != kt && NULL != ctx); + + /* Lookup/setting of parameters in OpenSSL 3.0 are string based */ + OSSL_PARAM params[2]; + + /* The OSSL_PARAM_construct_utf8_string needs a non const str but this + * only used for lookup so we cast (as OpenSSL also does internally) + * the constness away here */ + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char*) EVP_MD_get0_name(kt), 0); + params[1] = OSSL_PARAM_construct_end(); + + if (!EVP_MAC_init(ctx, key, key_len, params)) + { + crypto_msg(M_FATAL, "EVP_MAC_init failed"); + } + + /* make sure we used a big enough key */ + ASSERT(EVP_MAC_CTX_get_mac_size(ctx) <= key_len); +} + +void +hmac_ctx_cleanup(EVP_MAC_CTX *ctx) +{ + EVP_MAC_init(ctx, NULL, 0, NULL); +} + +int +hmac_ctx_size(EVP_MAC_CTX *ctx) +{ + return (int)EVP_MAC_CTX_get_mac_size(ctx); +} + +void +hmac_ctx_reset(EVP_MAC_CTX *ctx) +{ + if (!EVP_MAC_init(ctx, NULL, 0, NULL)) + { + crypto_msg(M_FATAL, "EVP_MAC_init failed"); + } +} + +void +hmac_ctx_update(EVP_MAC_CTX *ctx, const uint8_t *src, int src_len) +{ + EVP_MAC_update(ctx, src, src_len); +} + +void +hmac_ctx_final(EVP_MAC_CTX *ctx, uint8_t *dst) +{ + /* The calling code always gives us a buffer that has the size of our + * algorithm */ + size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx); + + EVP_MAC_final(ctx, dst, &in_hmac_len, in_hmac_len); +} +#endif int memcmp_constant_time(const void *a, const void *b, size_t size) diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 59a31aacf..bafb3a245 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -47,7 +47,11 @@ typedef EVP_CIPHER_CTX cipher_ctx_t; typedef EVP_MD_CTX md_ctx_t; /** Generic HMAC %context. */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L typedef HMAC_CTX hmac_ctx_t; +#else +typedef EVP_MAC_CTX hmac_ctx_t; +#endif /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH From patchwork Sun Sep 19 06:29:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1958 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4EhuBNllR2GUHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id OFmnA9llR2G+EgAAfY0hYg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTPS id oHfgOdhlR2HXCgAAcDxLoQ (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 051f9c26-1967-11ec-a204-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:44142] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FD/51-02284-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzi1-0000EX-G7; Sun, 19 Sep 2021 16:30:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzht-0000DF-1t for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WmNgJtwB2p1HlFD5L3fwoHpOn+zxYhJE9e5XCrOaTFU=; b=ab+3mH7cIlQHgXVVZJuJXH5OES he/+BMrjuYhgbF5anXLssetUBlPLe8Zs1AlWqay55bDK+rPuThiGHohX/dmDsgPv2qoG+xeGuaULK 5hlOX2HfnQ5CBOHajnr39kjLDuJvZsK6jQ0VufHoSrj7w/6A3mk10e7e2aDlnzBjTHEk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WmNgJtwB2p1HlFD5L3fwoHpOn+zxYhJE9e5XCrOaTFU=; b=BVdciqybJsQ6FogV4ht3/LlgC1 Gl8S70sO7QNzRbAnlr0J8BJbx7S5Pc7FLIGXuGpcA1t2VzXS6me8LCcXnbcYv/RaA/QkLLDzqzl8r 7BUw3ue3nSbC/r+6F3GYOgY5eUyUnBtNKaZ2GBG5dvkhvaF2YJzdrJBELk0VHPJVMwZA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7Q-DE for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002YW-BA for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695552 invoked by uid 10006); Sun, 19 Sep 2021 16:29:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:50 +0200 Message-Id: <20210919162956.695496-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Engine support is deprecated in OpenSSL 3.0. No longer use the deprecated API when running with OpenSSL 3.0 --- src/openvpn/crypto_openssl.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 delet [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7Q-DE Subject: [Openvpn-devel] [PATCH 2/8] [OSSL 3.0] Disable engine support for OpenSSL 3.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Engine support is deprecated in OpenSSL 3.0. No longer use the deprecated API when running with OpenSSL 3.0 --- src/openvpn/crypto_openssl.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index f1b2d8b4a..34a564e46 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -67,7 +67,7 @@ #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH #endif -#if HAVE_OPENSSL_ENGINE +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L #include #include @@ -132,7 +132,7 @@ setup_engine(const char *engine) void crypto_init_lib_engine(const char *engine_name) { -#if HAVE_OPENSSL_ENGINE +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L if (!engine_initialized) { ASSERT(engine_name); @@ -182,7 +182,7 @@ crypto_uninit_lib(void) fclose(fp); #endif -#if HAVE_OPENSSL_ENGINE +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L if (engine_initialized) { ENGINE_cleanup(); @@ -368,7 +368,8 @@ show_available_digests(void) void show_available_engines(void) { -#if HAVE_OPENSSL_ENGINE /* Only defined for OpenSSL */ +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L + /* Only defined for OpenSSL */ ENGINE *e; printf("OpenSSL Crypto Engines\n\n"); @@ -1151,7 +1152,7 @@ memcmp_constant_time(const void *a, const void *b, size_t size) return CRYPTO_memcmp(a, b, size); } -#if HAVE_OPENSSL_ENGINE +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L static int ui_reader(UI *ui, UI_STRING *uis) { @@ -1175,7 +1176,7 @@ ui_reader(UI *ui, UI_STRING *uis) EVP_PKEY * engine_load_key(const char *file, SSL_CTX *ctx) { -#if HAVE_OPENSSL_ENGINE +#if HAVE_OPENSSL_ENGINE && OPENSSL_VERSION_NUMBER < 0x30000000L UI_METHOD *ui; EVP_PKEY *pkey; From patchwork Sun Sep 19 06:29:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1956 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2P9rL9hlR2FzHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id 6CMuL9hlR2FJGQAAIasKDg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from smtp2.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id oEvWLthlR2ERJAAAyH2SIw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 050c8960-1967-11ec-911d-5254004a0287-1-1 Received: from [216.105.38.7] ([216.105.38.7:33788] helo=lists.sourceforge.net) by smtp2.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 65/A1-02304-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mRzi4-0008SE-7l; Sun, 19 Sep 2021 16:30:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mRzht-0008RQ-6B for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VuLEMLAwjhzDbxmFKVwF15oaB20aWzNb6rFwvXo5FnA=; b=At7S2sENhVBcOIB3Tf6zb4HBgI cYtynGZ6/g3HkcHbrl89B53mjq8idCFaaZ366AJzwe1t/d0FksFzjLpC7PcQkIh0TS/XLjkVH/rTP ErrLN36OI3G+EdcW5xmKno3pi7Ozie6YEqIpJQ14lDrTznU5Q+lKU9kyLEEYlXzWlDfM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VuLEMLAwjhzDbxmFKVwF15oaB20aWzNb6rFwvXo5FnA=; b=WwB/FC8goJqQfAdC1NINj/bw1V RtyFq02KU9rVIpf1v3Q2PW+lHEQ/H1nVgHGwFiv1n4/c0UFV+VNEt2J07qWRyuIeDKwmzVNk2T+/i xvooYbsGKlrM5AFQrOFco/3J9F3lEn9z7z78wTmR5n8pP/1kgQ4Dom8K9ZIR9q0yDvLg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7R-E6 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:14 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002YY-Dc for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695555 invoked by uid 10006); Sun, 19 Sep 2021 16:29:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:51 +0200 Message-Id: <20210919162956.695496-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Even though DES is super outdated and also NTLM is super outdated, eliminating the warnings for OpenSSL 3.0 is still a step in the right direction and using the correct APIs. --- src/openvpn/crypto_op [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7R-E6 Subject: [Openvpn-devel] [PATCH 3/8] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Even though DES is super outdated and also NTLM is super outdated, eliminating the warnings for OpenSSL 3.0 is still a step in the right direction and using the correct APIs. --- src/openvpn/crypto_openssl.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 34a564e46..b4c59557b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -880,10 +880,26 @@ cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char src[DES_KEY_LENGTH], unsigned char dst[DES_KEY_LENGTH]) { - DES_key_schedule sched; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + if (!ctx) + { + crypto_msg(M_FATAL, "%s: EVP_CIPHER_CTX_new() failed", __func__); + } + if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptInit_ex() failed", __func__); + } - DES_set_key_unchecked((DES_cblock *)key, &sched); - DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT); + int len; + if(!EVP_EncryptUpdate(ctx, dst, &len, src, DES_KEY_LENGTH)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptUpdate() failed", __func__); + } + + if (!EVP_EncryptFinal(ctx, dst + len, &len)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptFinal() failed", __func__); + } } /* From patchwork Sun Sep 19 06:29:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1955 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id aJTTINhlR2FzHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id cAu5INhlR2E0ZQAAovjBpQ (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id kCbpD8hlR2F4NgAAgKDEHA (envelope-from ) for ; Sun, 19 Sep 2021 12:31:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 0506db3c-1967-11ec-ad97-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:50826] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FA/20-02359-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzi0-0002rJ-Hx; Sun, 19 Sep 2021 16:30:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzht-0002pD-6A for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=aAZGYDP/4Q7A2Hdh1yiyLAN2ZqEw+EEJpuBmJZEq4JM=; b=GbLjNJc8lJqtoggGtrEEliiA7G l5qgR9J+21ux28J/Ax1QJ6Y8OzOLqZsMSoY2TQ3nVz4qZCw2rJR9bhdnNMoCaXfmupyvrlTTDoBZ1 yTtXxVS2azyEH48QdpqdIz/06jVzmqJowz4Rz2tKfZPQo4el7o95j/N2tEx1t7+U8tS4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=aAZGYDP/4Q7A2Hdh1yiyLAN2ZqEw+EEJpuBmJZEq4JM=; b=XWXUpaJ01MC1xqghL32GGZp5jt dIAZoWp19B6GMwoEesxPo2+Ya6qVOBiHuownUgYswixAgf70PTtHBk3lmjMM+3vvzLOw0Kpi9B8dP 7AK6YJt0SiB/MNeozJUthj21sAqegzSbUbjak8rVQDrWOI6UXfjtRc+9vWJhYKpf7sbg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7S-EM for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Yd-HK for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695558 invoked by uid 10006); Sun, 19 Sep 2021 16:29:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:52 +0200 Message-Id: <20210919162956.695496-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7S-EM Subject: [Openvpn-devel] [PATCH 4/8] [OSSL 3.0] Remove DES check with OpenSSL 3.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. --- src/openvpn/crypto_openssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b4c59557b..9df6da02c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -522,6 +522,11 @@ key_des_num_cblocks(const EVP_CIPHER *kt) bool key_des_check(uint8_t *key, int key_len, int ndc) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L + /* DES is deprecated and the method to even check the keys is deprecated + * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys + * we just accept them in OpenSSL 3.0 since the risk of randomly getting + * these is pretty weak */ int i; struct buffer b; @@ -554,6 +559,9 @@ key_des_check(uint8_t *key, int key_len, int ndc) err: ERR_clear_error(); return false; +#else + return true; +#endif } void From patchwork Sun Sep 19 06:29:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1953 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id gKYiL9dlR2FuHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:19 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id mHDXLtdlR2HCBAAAeJ7fFg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:19 -0400 Received: from smtp27.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id CGiJLtdlR2GVaQAAetu3IA (envelope-from ) for ; Sun, 19 Sep 2021 12:31:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 04690dbc-1967-11ec-8d4a-5254003773d7-1-1 Received: from [216.105.38.7] ([216.105.38.7:33772] helo=lists.sourceforge.net) by smtp27.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2B/CE-06003-7D567416; Sun, 19 Sep 2021 12:31:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mRzi4-0008ST-Eh; Sun, 19 Sep 2021 16:30:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mRzht-0008RP-6F for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CFxAflXcwgky7Vh56KiYp4ITbihNnCTpg+Zh4Jq76a8=; b=SfiyVZbXWn7mn2weSMuB5ZvSBM 549iPejdZuX1mOt/TtPTT4ohuPLy435Ec6jipTQnf/w//tmW7oySEHVlqFWekWfwTCX1/n/2Wpysy wTphekcAbptfCBWjSmIRyOvbhgu9IDXdOrL0JNpywAeS6ULK2LcLHmSXrJtspcETeD3c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CFxAflXcwgky7Vh56KiYp4ITbihNnCTpg+Zh4Jq76a8=; b=PNBc8Mh5Vnaov34SvTQbhVOzhZ FYAMjoQQ1E/3aAjykZS9IyH5IjavYYVh45qz3adSWwSiZqJghHuW75XIcH9Vd3PIVegPaL63aSiOy vwLSgPaHdZujIw9TeG430w5z9GlYeRCErk+siqSTKQnkp1DE44b2Y1V3rvVGYd2yyC64=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7T-CA for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Yg-KI for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695561 invoked by uid 10006); Sun, 19 Sep 2021 16:29:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:53 +0200 Message-Id: <20210919162956.695496-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. --- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 241206fb2..d8ac25fbc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -645,7 +645,6 @@ void tls_ctx_lo [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7T-CA Subject: [Openvpn-devel] [PATCH 5/8] [OSSL 3.0] Use EVP_PKEY based API for loading DH keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. --- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 241206fb2..d8ac25fbc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -645,7 +645,6 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) { - DH *dh; BIO *bio; ASSERT(NULL != ctx); @@ -666,7 +665,26 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } } - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL); + BIO_free(bio); + + if (!dh) + { + crypto_msg(M_FATAL, "Cannot load DH parameters from %s", + print_key_filename(dh_file, dh_file_inline)); + } + if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh)) + { + crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); + } + + msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", + 8 * EVP_PKEY_get_size(dh)); + + EVP_PKEY_free(dh); +#else + DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (!dh) @@ -683,6 +701,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, 8 * DH_size(dh)); DH_free(dh); +#endif } void From patchwork Sun Sep 19 06:29:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1954 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oE20A9hlR2FyHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id CLyDA9hlR2F2QgAAvGGmqA (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from smtp2.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTPS id mOBBNtdlR2GeSQAA13hMnw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 04659132-1967-11ec-9951-5254000fbace-1-1 Received: from [216.105.38.7] ([216.105.38.7:44124] helo=lists.sourceforge.net) by smtp2.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 11/D0-15690-7D567416; Sun, 19 Sep 2021 12:31:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzhu-0000Dl-CM; Sun, 19 Sep 2021 16:30:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzht-0000DL-1t for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wphNlswnVLv313+QvstK/G/KXROIaQBJFp6jWBq47Fw=; b=k4PM286vYQRD2lus4b3qtPnM2R tOurP9M668yTa2xVC7/VH+zwAWPbeBStqfD01l+vOvH/FZCxNWJ8uLr0dlvsosmQp1qYAt9I6MUHY dAsXdztvoH4It1IkGR/uIl2I3nKhZl5a/i4PgjRzz9V1K/4XHRoscsvHqC87LvnHWFW4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wphNlswnVLv313+QvstK/G/KXROIaQBJFp6jWBq47Fw=; b=R9jjf/hIub+OFuZQ8zA5S7xeiu aPyvhanM6l7xzji+HFYR7BF4nf9xAaMyD0sMMDlWAH1F+CJvZve9x94nC9UkAnT4ROmjmSD+Vs+JA ii3MxCONTLCw3MOb4hEQDO+avPk5pcqu/5lGrBKdry9pmuiUkxW1+/2dH/Frgr3WnjC8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7U-Ed for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Yk-Ne for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695564 invoked by uid 10006); Sun, 19 Sep 2021 16:29:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:54 +0200 Message-Id: <20210919162956.695496-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that - [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7U-Ed Subject: [Openvpn-devel] [PATCH 6/8] [OSSL 3.0] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that --ecdh-curve is ingored and --tls-groups should be used. --- src/openvpn/ssl_mbedtls.c | 5 +++-- src/openvpn/ssl_openssl.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index cea88f41e..e7c45c099 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name { if (NULL != curve_name) { - msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " - "curve, using default curves."); + msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify curves."); } } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d8ac25fbc..68cdb880c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -705,10 +705,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } void -tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ) +tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) { -#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (curve_name != NULL) + { + msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify groups."); + } +#elif !defined(OPENSSL_NO_EC) int nid = NID_undef; EC_KEY *ecdh = NULL; const char *sname = NULL; From patchwork Sun Sep 19 06:29:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1959 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id KPTCB9llR2FxHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id oJB8B9llR2E2CAAAIcMcQg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 Received: from smtp15.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTPS id KJe3AdllR2HnMQAARNREpw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 050b2cf0-1967-11ec-8b02-5254003d6d3a-1-1 Received: from [216.105.38.7] ([216.105.38.7:44136] helo=lists.sourceforge.net) by smtp15.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 45/DB-09934-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzht-0000DN-3C; Sun, 19 Sep 2021 16:30:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzhk-0000D9-84 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hhgqcJpDR83Fd8q59DD2yXf2kgHGoDyGZRFgFYx0+jA=; b=aswkgh9AxLJu6j/Og28LUtUj4G bQYhs7Xdfz17FLqx9geAnqmkA+e13fpLtktpqzhu5KkOjqZNI17T+qyqodIe6vh6Uav8jobmpdNei hwKYzRQ9kO9nYnN/4Zg282vbbHABeGcy7GzR2D7PdpE1n8evgkx1joVIfUm7KmK3bK0o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hhgqcJpDR83Fd8q59DD2yXf2kgHGoDyGZRFgFYx0+jA=; b=MhdBZpOTrr4HPAZhuUQ26zXJAG ZZmiWCQ6vwq4YjFCdXpX9Ve0m1BjcTuj6UNKYzT/gfBUhkglHC22EUr3MqkiIaLOHbjgbJZ4C9gkW ES9yQNtw9GdJn6BZxyRLIJxoS8CqZZ7RUJLsX4JaYeBJK6oPJKV8UDF09m9GtAgWSdXw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhf-00052h-6Q for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Ym-Py for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695567 invoked by uid 10006); Sun, 19 Sep 2021 16:29:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:55 +0200 Message-Id: <20210919162956.695496-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This code mainly sets the parity bits in the DES keys. As mbed TLS and OpenSSL already ignore these bits in the DES key and since DES is deprecated, remove this special DES code that is not even neede [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhf-00052h-6Q Subject: [Openvpn-devel] [PATCH 7/8] [OSSL 3.0] Remove DES key fixup code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This code mainly sets the parity bits in the DES keys. As mbed TLS and OpenSSL already ignore these bits in the DES key and since DES is deprecated, remove this special DES code that is not even needed by the libraries. --- src/openvpn/crypto.c | 46 ------------------------------------ src/openvpn/crypto.h | 2 -- src/openvpn/crypto_backend.h | 9 ------- src/openvpn/crypto_mbedtls.c | 19 --------------- src/openvpn/crypto_openssl.c | 21 ---------------- src/openvpn/ntlm.c | 1 - src/openvpn/ssl.c | 18 -------------- 7 files changed, 116 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1dfc760f9..ce041153f 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -956,45 +956,6 @@ check_key(struct key *key, const struct key_type *kt) return true; } -/* - * Make safe mutations to key to ensure it is valid, - * such as ensuring correct parity on DES keys. - * - * This routine cannot guarantee it will generate a good - * key. You must always call check_key after this routine - * to make sure. - */ -void -fixup_key(struct key *key, const struct key_type *kt) -{ - struct gc_arena gc = gc_new(); - if (kt->cipher) - { -#ifdef ENABLE_DEBUG - const struct key orig = *key; -#endif - const int ndc = key_des_num_cblocks(kt->cipher); - - if (ndc) - { - key_des_fixup(key->cipher, kt->cipher_length, ndc); - } - -#ifdef ENABLE_DEBUG - if (check_debug_level(D_CRYPTO_DEBUG)) - { - if (memcmp(orig.cipher, key->cipher, kt->cipher_length)) - { - dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: fixup_key: before=%s after=%s", - format_hex(orig.cipher, kt->cipher_length, 0, &gc), - format_hex(key->cipher, kt->cipher_length, 0, &gc)); - } - } -#endif - } - gc_free(&gc); -} - void check_replay_consistency(const struct key_type *kt, bool packet_id) { @@ -1043,10 +1004,6 @@ generate_key_random(struct key *key, const struct key_type *kt) dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); - if (kt) - { - fixup_key(key, kt); - } } while (kt && !check_key(key, kt)); gc_free(&gc); @@ -1589,9 +1546,6 @@ verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared for (i = 0; i < key2->n; ++i) { - /* Fix parity for DES keys and make sure not a weak key */ - fixup_key(&key2->keys[i], kt); - /* This should be a very improbable failure */ if (!check_key(&key2->keys[i], kt)) { diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 759da4bfb..e9ba21ab2 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -288,8 +288,6 @@ void check_replay_consistency(const struct key_type *kt, bool packet_id); bool check_key(struct key *key, const struct key_type *kt); -void fixup_key(struct key *key, const struct key_type *kt); - bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf); diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index e0bfdf585..cc897acf4 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -170,15 +170,6 @@ int key_des_num_cblocks(const cipher_kt_t *kt); */ bool key_des_check(uint8_t *key, int key_len, int ndc); -/* - * Fix the given DES key, setting its parity to odd. - * - * @param key Key to check - * @param key_len Length of the key, in bytes - * @param ndc Number of DES cblocks that the key is made up of. - */ -void key_des_fixup(uint8_t *key, int key_len, int ndc); - /** * Encrypt the given block, using DES ECB mode * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index e2f5f4012..2c4a1405c 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -434,25 +434,6 @@ err: return false; } -void -key_des_fixup(uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read(&b, key, key_len); - for (i = 0; i < ndc; ++i) - { - unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); - if (!key) - { - msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); - return; - } - mbedtls_des_key_set_parity(key); - } -} - /* * * Generic cipher key type functions diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 9df6da02c..8637be86d 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -564,27 +564,6 @@ err: #endif } -void -key_des_fixup(uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read(&b, key, key_len); - for (i = 0; i < ndc; ++i) - { - DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock)); - if (!dc) - { - msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); - ERR_clear_error(); - return; - } - DES_set_odd_parity(dc); - } -} - - /* * * Generic cipher key type functions diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 3abe3b7e3..28e68ded5 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -67,7 +67,6 @@ create_des_keys(const unsigned char *hash, unsigned char *key) key[5] = ((hash[4] & 31) << 3) | (hash[5] >> 5); key[6] = ((hash[5] & 63) << 2) | (hash[6] >> 6); key[7] = ((hash[6] & 127) << 1); - key_des_fixup(key, 8, 1); } static void diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b2dc48be2..ee416a64c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1739,24 +1739,6 @@ generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key } secure_memzero(&master, sizeof(master)); - - - /* - * fixup_key only correctly sets DES parity bits if the cipher is a - * DES variant. - * - * The newer OpenSSL and mbed TLS libraries (those that support EKM) - * ignore these bits. - * - * We keep the DES fixup here as compatibility. - * OpenVPN3 never did this fixup anyway. So this code is *probably* not - * required but we keep it for compatibility until we remove DES support - * since it does not hurt either. - */ - for (int i = 0; i < 2; ++i) - { - fixup_key(&key2->keys[i], &session->opt->key_type); - } key2->n = 2; return true; From patchwork Sun Sep 19 06:29:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1957 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SD0kM9hlR2FyHgAAIUCqbw (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id IAr9MthlR2EAQwAAvGGmqA (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTPS id QPiPMthlR2EcVwAATCaURg (envelope-from ) for ; Sun, 19 Sep 2021 12:31:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 05075b02-1967-11ec-ab50-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:50828] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 13/C7-02350-8D567416; Sun, 19 Sep 2021 12:31:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mRzhu-0002qY-Tx; Sun, 19 Sep 2021 16:30:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mRzht-0002pC-6B for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XJZ0rLCVaSsFs6ttKA32RHs9uglznBY3IoAE44Af8Lc=; b=MkplhfRrlfQKn+nnYLhgYtzkHk M2QSqLno2GYhjj667Qr5xiZuOYTtmvxNDvq3ErGn8H3A8oXrqSIHjTwMTXVk7cEAGp5nLrzcB7Ixb 35miLZIaMa/SJBXYFj70B6kzcMzPUD1ft5gYcXQAQHzTebzIBuWyZgdubQQ8iMmpLA3Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XJZ0rLCVaSsFs6ttKA32RHs9uglznBY3IoAE44Af8Lc=; b=Ic/jgK7eCpa7pMMafQu60n+mXb WpL1TJntcg/jN/c++v6xDN1U8Ld2OSwQqbQL2cCJemeuNGxbQ+eF+9M3VVvUAG/1cJ1HOAEQ9kYKE pu9FhQ0XQTc4/7vDdMwHBCZ8Wy+COFW1rMteQRg1IYZn/5+1s5T/arhh8IVAze6k9hjw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mRzhi-00Fy7V-EA for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mRzhU-0002Yq-T3 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200 Received: (nullmailer pid 695570 invoked by uid 10006); Sun, 19 Sep 2021 16:29:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 19 Sep 2021 18:29:56 +0200 Message-Id: <20210919162956.695496-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org> References: <20210919162956.695496-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. --- src/openv [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mRzhi-00Fy7V-EA Subject: [Openvpn-devel] [PATCH 8/8] [OSSL 3.0] Use EVP_PKEY_get_group_name to query group name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. --- src/openvpn/openssl_compat.h | 32 ++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 14 ++++++++------ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ce8e2b360..933a71848 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -46,6 +46,38 @@ #include #include +/* Functionality missing in 1.1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L + +/* Note that this is not a perfect emulation of the new function but + * is good enough for our case of printing certificate details during + * handshake */ +static inline +int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, + size_t *gname_len) + { + if ((EVP_PKEY_get0_EC_KEY(pkey) == NULL || + EVP_PKEY_get0_EC_KEY(pkey) != NULL)) + { + return 0; + } + const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_GROUP* group = EC_KEY_get0_group(ec); + + int nid = EC_GROUP_get_curve_name(group); + + if (nid != 0) + { + return 0; + } + const char *curve = OBJ_nid2sn(nid); + + strncpy(gname, curve, gname_sz); + *gname_len = min_int(strlen(curve), gname_sz); + return 1; +} +#endif + /* Functionality missing in 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL) #define SSL_CTX_set1_groups SSL_CTX_set1_curves diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 68cdb880c..dc0ae20a7 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2049,13 +2049,15 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) int typeid = EVP_PKEY_id(pkey); #ifndef OPENSSL_NO_EC - if (typeid == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL) + char groupname[256]; + if (typeid == EVP_PKEY_EC) { - const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); - const EC_GROUP *group = EC_KEY_get0_group(ec); - - int nid = EC_GROUP_get_curve_name(group); - if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL) + size_t len; + if(EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len)) + { + curve = groupname; + } + else { curve = "(error getting curve name)"; }